protected function resolveFuncResultTaint(FuncCall $exp) { $args = $exp->args; if (Sinks::isSinkFunction($exp)) { $argTaints = $this->getArgumentsTaintValuesForAnalysis($args); $this->sinkNodes[$exp->getLine()] = new FunctionSinkNode($exp, $argTaints); return; } $result = parent::resolveFuncResultTaint($exp); foreach ($args as $arg) { $argExpName = $arg->value->name; $this->addAffectingParameterToAnalysisResult($result, $argExpName); } return $result; }
protected function isVulnerabilitySink(FuncCall $funcCall) { return Sinks::isCodeInjectionSinkFunction($funcCall); }
protected function resolveFuncResultTaint(Expr\FuncCall $exp) { if (InputSources::isInputReadFuncCall($exp)) { return $this->createTaintResult(Annotation::TAINTED); } $func_name = $exp->name; if ($func_name instanceof Expr) { //cannot evaluate the taint when the function's name is dynamically determined return $this->createTaintResult(Annotation::UNKNOWN); } $func_name_str = $func_name->getLast(); if (SanitisingFunctions::isSanitisingFunction($func_name_str)) { return $this->resolveSanitisationFuncCall($exp); } else { if (Sinks::isSinkFunction($exp) && !empty($this->vulnerabilityReporter)) { $args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args); $this->vulnerabilityReporter->runNodeVulnerabilityChecks($exp, $args_with_taints); } else { $func_analyser = FunctionAnalyser::getFunctionAnalyser($exp->environment, $func_name); $args_with_taints = $this->getArgumentsTaintValuesForAnalysis($exp->args); $analysis_res = $func_analyser->analyseFunctionCall($args_with_taints, $this->vulnerabilityReporter); return $analysis_res; } } }